escaping single quotes ' 1

[farley99]

I had a guy fill this out with the name O' Brian, and got this error, it works ok with OBrian but the single quote breaks it, how do i fix this.


Secure Online Order Form
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '1','1','','YES','','','','US','',

 

[danielhozac]

Use [tt]mysql_escape_string[/tt] before inserting or updating any values in a MySQL database.

http://www.php.net/manual/en/function.mysql-escape-string.php

//Daniel

 

[farley99]

Help I still get htat error...

$querySTR="INSERT INTO......";
$query = mysql_escape_string($querySTR);
if(mysql_query($query))
echo " ";
else
echo mysql_error();
echo "\n";

Is that the right syntax?

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's','joe','joe's','jk','j','j','j','j','JM','jj','j','j

 

[sleipnir214]

What does exactly does $querySTR look like before and after you invoke mysql_escape_string() against it?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[sleipnir214]

The reason I am asking is because I don't believe you can use it against the entire query. mysql_escape_string() will probably escape the single quotes that should exist around strings to be inserted.

The way I use mysql_escape_string() is:

$username = "Brian O'Reilly";
$query = "INSERT INTO USERS set username = '" . mysql_escape_string($username) . "'";
mysql_query($query);
.
.
.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[jianbo]

You should first know which column will have insertion content with '. Like
if $name = "O'Brian"
you use $name = mysql_escape_string($name),
then you do "insert

values ('$name'...)
it will work.